Over 400 IPs Exploiting Multiple SSRF Vulnerabilities in Coordinated Cyber Attack
Summary:
On March 9, GreyNoise detected a sharp and coordinated spike in Server-Side Request Forgery exploitation, affecting multiple widely used platforms. At least 400 unique IPs were observed actively exploiting 10 different SSRF-related CVEs simultaneously, with notable overlap in attack attempts. Unlike routine botnet noise, this activity suggests structured, automated exploitation or pre-compromise reconnaissance. The most targeted countries during this surge were the United States, Germany, Singapore, India, and Japan. Notably, Israel had already been experiencing SSRF exploitation as early as January, with renewed activity observed in this latest wave.
SSRF remains a critical attack vector due to its ability to access internal cloud metadata APIs, which attackers exploit to extract sensitive cloud credentials, pivot within internal networks, and conduct reconnaissance. This type of vulnerability has been historically significant, playing a key role in the 2019 Capital One breach, which exposed over 100 million records.
The recent wave of SSRF exploitation targeted vulnerabilities across several platforms, including:
Security Officer Comments:
GreyNoise’s historical analysis of SSRF exploitation over the past six months highlights sustained activity in key regions, with Hong Kong, South Korea, Australia, France, Taiwan, Qatar, and Slovakia experiencing early SSRF spikes dating back to December 2024. In the past 24 hours, the exploitation has been limited to Israel and the Netherlands, indicating a focused attack effort in these regions.
Suggested Corrections:
Organizations should take immediate steps to ensure they are not exposed:
Link(s):
https://thehackernews.com/2025/03/over-400-ips-exploiting-multiple-ssrf.html
On March 9, GreyNoise detected a sharp and coordinated spike in Server-Side Request Forgery exploitation, affecting multiple widely used platforms. At least 400 unique IPs were observed actively exploiting 10 different SSRF-related CVEs simultaneously, with notable overlap in attack attempts. Unlike routine botnet noise, this activity suggests structured, automated exploitation or pre-compromise reconnaissance. The most targeted countries during this surge were the United States, Germany, Singapore, India, and Japan. Notably, Israel had already been experiencing SSRF exploitation as early as January, with renewed activity observed in this latest wave.
SSRF remains a critical attack vector due to its ability to access internal cloud metadata APIs, which attackers exploit to extract sensitive cloud credentials, pivot within internal networks, and conduct reconnaissance. This type of vulnerability has been historically significant, playing a key role in the 2019 Capital One breach, which exposed over 100 million records.
The recent wave of SSRF exploitation targeted vulnerabilities across several platforms, including:
- CVE-2020-7796 Zimbra Collaboration Suite
- CVE-2021-22214 GitLab CE/EE
- CVE-2021-39935 GitLab CE/EE
- CVE-2021-22175 GitLab CE/EE
- CVE-2017-0929 DotNetNuke
- CVE-2021-22054 VMware Workspace ONE UEM
- CVE-2021-21973 VMware vCenter
- CVE-2023-5830 ColumbiaSoft DocumentLocator
- CVE-2024-21893 Ivanti Connect Secure
- CVE-2024-6587 BerriAI LiteLLM
- (No CVE Assigned; See Right Link) OpenBMCS 2.4 Authenticated SSRF Attempt
- (No CVE Assigned; See Right Link) Zimbra Collaboration Suite SSRF Attempt
Security Officer Comments:
GreyNoise’s historical analysis of SSRF exploitation over the past six months highlights sustained activity in key regions, with Hong Kong, South Korea, Australia, France, Taiwan, Qatar, and Slovakia experiencing early SSRF spikes dating back to December 2024. In the past 24 hours, the exploitation has been limited to Israel and the Netherlands, indicating a focused attack effort in these regions.
Suggested Corrections:
Organizations should take immediate steps to ensure they are not exposed:
- Patch and Harden Affected Systems
- Review patches for the targeted CVEs and apply mitigations where available.
- Restrict Outbound Access Where Possible
- Limit outbound connections from internal apps to only necessary endpoints.
- Monitor for Suspicious Outbound Requests
- Set up alerts for unexpected outbound requests.
- Block Malicious IPs
Link(s):
https://thehackernews.com/2025/03/over-400-ips-exploiting-multiple-ssrf.html